Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Introduction
Protected Clipboard in Microsoft Edge for Business is designed to help organizations safeguard sensitive data by controlling copy and paste actions between managed and unmanaged web applications. By leveraging configurations in Purview DLP policies targeting managed cloud apps, Protected Clipboard helps ensure that data remains within admin defined trusted boundaries, reducing the risk of accidental or intentional data leakage, especially as users interact with modern SaaS and GenAI tools.
Protected Clipboard in Edge for Business empowers organizations to protect sensitive data at the clipboard level, balancing security and productivity. With policy-driven enforcement, silent user experience, and flexible admin controls, it’s a modern solution for today’s browser-based workflows.
Note
This document is primarily focused on implementation using Microsoft Purview DLP policies targeting managed cloud apps with Edge for Business (E5). For organizations using Microsoft 365 E3 with Intune Mobile Application Management (MAM), see the section below for how Protected Clipboard applies to work profiles.
About Screen Capture protection
For a stronger, unified story around clipboard protection, Edge for Business also includes Screen Capture protection. This feature restricts screenshots and recordings during protected browsing sessions to keep sensitive enterprise data secure. When enabled, screen capture is automatically blocked only on pages or sites where a Copy:Block policy is active. Screenshots are treated as an extension of copy protection, helping prevent unauthorized data exfiltration via screen capture, alongside clipboard controls.
When the Protected Clipboard toggle is configured in the Edge Management Service portal, the Screen Capture Protection policy will also be enabled by default. This ensures that both clipboard and screen capture controls work together to prevent data leakage. Screenshots can be used to bypass clipboard restrictions, so enabling both policies by default provides a more comprehensive layer of protection for sensitive enterprise data.
Note
The Screen Capture protection policy only applies to sites/pages with a Copy:Block Purview DLP policy. It doesn't block screenshots globally; enforcement is limited to locations where copy protection is active.
For organizations seeking broader screenshot restrictions beyond Purview DLP policies targeting managed cloud app enforcements, Microsoft Edge also supports global controls such as DisableScreenshots Policy:
Admins can block screenshots across all sites in Edge for Business using the Microsoft Edge Browser Policy Documentation DisableScreenshots | Microsoft Learn
This policy disables Edge’s built-in screenshot and Web Capture features for all sites, but doesn't block OS-level tools (such as Windows Snipping Tool).
Requirements
To use Protected Clipboard and Screen Capture protection, ensure your environment meets the following prerequisites:
- Microsoft Edge for Business (latest version recommended)
- Microsoft 365 E3 or E5 subscription
- Purview DLP policies targeting managed cloud apps configured in the Microsoft Purview portal
- Intune MAM support
- Access to the Edge Management service portal to opt-into Protected Clipboard and screen capture protections (In Preview).
Defining Trusted Boundaries for E5
Protected Clipboard in Microsoft Edge for Business lets organizations define how and where sensitive data can move via copy and paste. By configuring Purview DLP policies admins can establish their trusted boundary. A trusted boundary means that data inside the boundary can't leave, and is blocked from being pasted outside. At the same time, data from outside the boundary can enter, allowing it to be pasted inside when needed.
We describe a trusted boundary as a set of managed web apps and sites where clipboard data can safely flow. Attempts to move data outside this boundary (for example, into unmanaged apps, personal browser tabs, or GenAI tools) are silently blocked, reducing the risk of data leaks without disrupting user productivity.
Trusted boundaries are established through configurations made in Purview DLP policies targeting managed cloud apps. Admins can:
- Specify managed cloud apps to include in the policy boundary
- Target policies to specific users or groups
- Adjust boundaries as organizational needs evolve
When a Purview DLP policy targeting managed clouds with a rule applied to the Copy action is active, Edge automatically enforces clipboard controls based on these boundaries, helping prevent sensitive data from being pasted outside of the trusted boundary.
Trusted Boundary for E3
Protected Clipboard is also available for organizations using Microsoft 365 E3 with Intune Mobile Application Management (MAM). In this scenario, the trusted boundary is the Edge work profile. All copy/paste actions are restricted within the managed work profile. That is, data can't be pasted outside the profile, ensuring sensitive information remains protected even on BYOD or unmanaged devices.
- Trusted Boundary: Edge work profile (Entra ID identity)
- Policy Enforcement: Admins configure Intune MAM policies to restrict copy/paste within the work profile.
- User Experience: Copy/paste is allowed only between sites and apps inside the managed profile. Attempts to paste outside the profile are blocked with the message: “Your organization’s data can't be pasted here.”
Why Modes Matter
Different organizations and scenarios require different levels of governed clipboard control. Protected Clipboard offers several enforcement modes, each shaping the trusted boundary in a unique way. These modes let you balance security and productivity, helping protect data sharing while users can work efficiently within approved environments. Admins can adjust these boundaries as organizational needs evolve.
Protected Clipboard Modes Explained
| Mode | What Happens to Data? (Trusted Boundary Outcome) | Purview DLP Policy for managed cloud apps |
|---|---|---|
| Not configured | Data can move freely. No trusted boundary is enforced. Users can copy and paste between managed apps. | Purview policy rules are enforced, which can include blocking copy. |
| Tab-Only | Data stays within the trusted boundary of the same browser tab. Copy/paste is blocked outside that tab. | Activated by using Copy:Audit or Copy:Block configurations. Allows a managed app with Audit or Block to copy/paste within the same tab. |
| Shared Boundary | These managed apps form a shared trusted boundary. Clipboard data can't leave this group of managed apps. | Activated by Copy:Block configurations. Only managed apps with Block share clipboard. Managed apps in audit-only policies are excluded and not part of the boundary. |
| Hybrid | These sites share a broader trusted boundary. | Activated by Copy:Audit or Copy:Block configurations. Apps with Audit can paste into apps with Block. Managed apps with Block can't paste into apps with Audit. Managed apps with Block are limited to same-tab behavior. |
All modes require a rule using the Copy configuration Purview DLP policy set up via Microsoft Purview.
How to Choose a Mode
- Start with your data protection goals: Do you want to keep data within a single app, groups of apps, or allow broader sharing within trusted apps?
- Consider user workflows: If users need to copy between multiple managed apps, Shared Boundary or Hybrid may be best. For strict isolation, Tab-Only is ideal.
- Monitor and adjust: Use reporting to see how policies are working and refine your trusted boundaries as needed.
Getting started
Protected Clipboard is designed for simplicity and seamless integration into your existing security workflows. Refer to Help Prevent Users from Sharing Sensitive Info with Cloud Apps in Edge for Business | Microsoft Learn to get started. In short:
1. Policy Creation
Start in the Purview portal. Create a policy for managed cloud apps that defines your trusted boundary specifying which managed apps can exchange clipboard data.
2. Policy Assignment
Assign the policy to relevant users or groups. Once assigned, the Purview policy activates automatically in Edge for Business. Protected Clipboard enforcement however, is gated by configuration through the Edge Management Service portal (Step 3). No manual intervention is needed on the user side.
3. Clipboard Enforcement a. Within the trusted boundary: Users can copy and paste between managed web apps. b. Crossing the boundary: Attempts to paste content into unmanaged apps, personal browser tabs, or GenAI tools are silently blocked. There’s no pop up or warning; the paste simply doesn’t work.
4. Monitoring & Reporting
Use Purview policy data and alerts to monitor policy effectiveness, including blocked paste attempts. This helps with compliance and troubleshooting.
Note
When the Protected Clipboard toggle is configured in the Edge Management Service portal, the Screen Capture Protection policy will also be enabled by default. Refer to the section above for more information.
Additional Customization (Coming Soon)
Protected Clipboard and related policy controls are currently in Preview. Additional customization options are planned for future releases, developed in close collaboration with the Microsoft Purview team. These improvements will allow for more granular enforcement and flexibility, and provide admins with greater control over data protection scenarios to fit unique business needs, user groups, and compliance requirements, delivering a more robust and adaptable security posture.
Please refer to the Microsoft 365 roadmap for Edge for Business for the most up to date information on feature availability.
Note
As these features are in Preview, functionality and availability may change. For the latest updates, refer to official Microsoft documentation and roadmap communications.
Feedback and support
This experience is supported by Microsoft Support. You can reach out to Microsoft Support to report issues or give feedback. You can also leave feedback in our TechCommunity forum.